In Windows 10 the Start Menu layout looks horrible to me after the first sign-in to a new Windows 10 device. That`s not only the case with a Windows 10 Home edition, but even when using Windows 10 Pro or Enterprise.
Ok, that finally changes in the latest Windows 10 1903 build, only showing the Office app, Edge and the Microsoft Store app by default. But still as an admin you maybe want to add some common used tiles to the Start menu to make the life of the end-user a little easier. Or you`re not already deploying 1903 and need to provide your users a more clean Start Menu.
With Microsoft Intune we can use a policy to set a customized Start Menu for our users, but because this is not a preference the user isn`t able to customize the Start Menu itself. I don`t prefer this option of blocking the user to configure his own Start Menu.
Another option is to define a default Start Menu which is only used to create the default Start Menu for the end-user at first logon, with the user still able to customize the Start Menu to his needs.
Such a default Start Menu can be set by using the PowerShell commands Export-StartLayout and Import-StartLayout. The layout configuration file which we get by running the Export command, can also be placed (manually) in the Default user profile. No matter which of these two options we choose to import the default Start Menu, a default Start Menu needs to by applied before the end-user first logs on to the device.
With the general availability of the Enrollment Status Page as part of Windows AutoPilot, we have the option to apply policies and software packages in the device setup stage before the end-user is logged on for the first time. As we are able to package (PowerShell) scripts in a WIN32 package, which can be deployed during ESP, that`s the easiest way to set our default start menu in my opinion.
The steps involved in this configuration are:
- Create and export a default Start Menu
- Create a PowerShell script
- Wrap the script and export in a WIN32 package
- Deploy the WIN32 package with Microsoft Intune
- Configure the Enrollment Status Page
Create and export a default Start Menu
The first thing we need to do is creating a Start Menu which we like to deploy to our Windows 10 devices. When finished customizing the Start Menu, we need to export the Start Menu with the Export-StartLayout command: Export-StartLayout -Path .\LayoutModification.xml -UseDesktopApplicationID
Have a look at the Microsoft docs for information about the Export command.
To prevent issues with pinned tiles I have used the switch -UseDesktopApplicationID
The export we get is in a XML format and contains a configuration like below. My file contains a few lines for Office ProPlus application tiles and two browsers.
Besides setting a default start menu, you can also add a section to the XML file to control the shortcuts on the taskbar. You can use the same DesktopApplicationIDs for this. More on that is found on Microsoft Docs.
Create a PowerShell script
To import the XML file we can use a one-line PowerShell command as you can read in the docs:
Import-StartLayout -LayoutPath “Layout.xml” -MountPath “C:\”
In our PowerShell script this looks likes:
Import-StartLayout -LayoutPath “$PSScriptRoot\LayoutModification.xml” -MountPath $env:SystemDrive\
Where I use $PSScriptRoot for the location where the script and XML are (temporary) stored.
An example script is provided below. It might be a bit overkill in your environment, as it contains a section for error handling. It also contains a part to run the script in the right context, which I got from fellow MVP Peter van der Woude. And it writes the result in the registry which I use in Intune to detect if the script runs successfully.
#Run PS in x64 context on x64 platform
If ($ENV:PROCESSOR_ARCHITEW6432 -eq "AMD64") {
Try {
&"$ENV:WINDIR\SysNative\WindowsPowershell\v1.0\PowerShell.exe" -File $PSCOMMANDPATH
}
Catch {
Throw "Failed to start $PSCOMMANDPATH"
}
Exit
}
Function CleanUpAndExit() {
Param(
[Parameter(Mandatory=$True)][String]$ErrorLevel
)
# Write results to registry for Intune Detection
$Key = "HKEY_LOCAL_MACHINE\Software\InTheCloud247\StartMenu\v1.0"
$NOW = Get-Date -Format "yyyyMMdd-hhmmss"
If ($ErrorLevel -eq "0") {
[microsoft.win32.registry]::SetValue($Key, "Success", $NOW)
} else {
[microsoft.win32.registry]::SetValue($Key, "Failure", $NOW)
[microsoft.win32.registry]::SetValue($Key, "Error Code", $Errorlevel)
}
# Exit Script with the specified ErrorLevel
EXIT $ErrorLevel
}
# Set the initial Windows 10 Start Menu Layout
$Error.Clear()
Import-StartLayout -LayoutPath "$PSScriptRoot\LayoutModification.xml" -MountPath $env:SystemDrive\
If ($Error.Count -gt 0) {
CleanUpAndExit -ErrorLevel 101
} else {
}
CleanUpAndExit -ErrorLevel 0Create the WIN32 package
Now that we have our XML file and PowerShell script, it needs to be wrapped to a WIN32 package which we can deploy using Intune.
The tool which we need to wrap the script can be downloaded from GitHub where you can also find instructions how to use it.
Make sure the XML file and PowerShell script are saved in the same folder, without any other files.
- Start PowerShell as admin and start IntuneWinAppUtil.exe.
- Enter the location of the files as source folder.
- Enter the name of the PowerShell script as setup file.
- Enter an output folder.
- Choose N to not specify a catalog folder
The output is an intunewin file which is a container file containing our XML and PS script which we deploy with Intune.
Deploy the WIN32 package with Intune
Next step is to deploy the WIN32 package with Microsoft Intune.
- Sign-in to the Endpoint Manager admin center
- Browse to Apps – Windows
- Click Add
- Choose Windows app (WIN32)
- Click Select
- Click Select app package file
- Browse to the intunewin file and select the file
- Click OK
- Enter a Name
- Enter a Description
- Enter the Publisher name
- Enter all other information (Optional)
- Click Next
- Enter the install command: PowerShell.exe -NoProfile -ExecutionPolicy Bypass -file .\DefaultStartmenu.ps1
- Enter the uninstall command (we don`t have an uninstall option, so I filled in the same command)
- Leave everything as default
- Click Next
- On the Requirements tab make your choices
- Click Next
- Choose Manually configure detection rule on the Detection rules tab
- Click Add
- Choose Registry as Rule type
- Enter the key path which is set by the script
- Enter the Value name
- Choose Value exists As detection method
- Click OK
- Click Next
Make sure to assign the application as required to a device group.
Configure the Enrollment Status Page
I assume the Enrollment Status Page is already enabled for your (test) users and we only need to add the Default Start Menu app as required app during the enrollment. If you require all apps to be installed during enrollment, you can skip this step.
- Browse to Devices – Windows
- Click Windows Enrollment
- Click Enrollment Status Page
- Click the Enrollment Profile
- Click Properties
- Click Edit next to Settings
- Click Select apps
- Check the Default Start Menu app
- Click Select
- Click Review + save – Click Save
End-User experience
When everything is set, turn on a Windows 10 device which is registered as AutoPilot device in Intune.
Authenticate with a user which is targeted by the Enrollment Status Page.
During the second stage, the Device setup stage, device targeted applications are installed. During this stage the Default Start Menu application is installed and the LayoutModification.xml file is copied in the default user profile. This all happens before the end-user profile is created.
When the deployment is finished and the user is logged on for the first time to the device, the user is presented a nice and clean Start Menu. As you can see, the user is still able to (un)pin tiles.
Interested in configuring the Windows 11 start menu? Also read this article.
Thank you for reading this article. Feel free to contact me when you have questions or comments. You can do that by leaving a comment below or send me an email.
I just did the same last week. Works like a charm. I used Michael Niehaus single MSI file Autopilot branding project in github (i presume you also know that article).
PS. What are your findings and experience with the builtin StartMenu Lay-out policy in Intune? I think its a jok, many times it does not work, sometimes only on new profiles and pinning non installes applications is not possible.
I never used the Start Menu policy in a production environment. Until now haven’t done a project at which it was a requirement to lock the Start Menu.
I must be missing something. In advanced installer, when I go into Resources > Files and Folder > Windows Volume > Windows > I dont see a users folder.
Please Advise
You can just create the folder structure by adding the (new) folders.
Application Shortcut folder and all the rest is grayed out
Just right-click on the folder Windows Volume and choose New folder. Aftert creating the first folder (Users) the folder isn`t greyed out any more and you can create the complete folder structure.
Hi Peter
Think you misunderstanding me. In Install Parameters once I change Application folder everything else gets greyed out and I cant get it back or enter anything. Please advice.
It seems the function of creating a MSI is removed and because of that also the options under Install parameter. Which is not really strange as the express version was intended to create msix/appx files.
We can achieve the same with a Powershell script and wrap it as win32 app and deploy that file with Intune.
As soon I have time, I re-write the post with that information.
The File is being copied to the the default users location. But its not being applied.
As we change the default startmenu, this setup only applies to users which sign-in for the first time on a device. Is that the case in your situation?
Anyone else have luck with the install parameters? Mine is greyed out also
The above did not work for me, for some reason.
I was able to create the start menu and exported it to LayoutModification.xml I then package it to MSI and made it a required app on ESP before users are allowed to log in.
When the first user logs in I see the “LayoutModification.xml” in Windows Volume\Users\Default\AppData\Local\Microsoft\Windows\Shell
But when the first user logs in for me the start menu doesnt seem to be customised based on LayoutModification.xml.
I then log out and log in as another user and the second user that logs in has the customised start menu.
Can you please advise if I have missed anything or do you know what might have caused this issue?
Your help is much appreciated.
Did you assign it to a security group with users or devices? Make sure to assign it to a group with devices.
And try to deploy it was win32 app, which is preferred since we have that option GA.
Thanks for responding.
I can confirm that the security group is all devices and I tried via win32 app deployment and made it a Required App via the Enrolment status page.
The weird thing is even though it is a required app on ESP. I noticed that it will install straight away after the use has logged into the machine.
Do you know why this might be?
Hello,
I have the same issue. It’s working but not for the first logged user.
It’s deployed on a device group, and all apps are required on ESP.
It’s also a win32 app.
Any hints?
Thanks,
Sorry for the late response.
Have a look at the article again, as I did an update to show you how this can be done more easily in these days by using a Powershell script and win32 package.
Powershell Script will NOT work because
$ENV:PROCESSOR_ARCHITEW6432 is WRONG, has to be $ENV:PROCESSOR_ARCHITECTURE
Maybe you can outline why it wouldn`t work in your opinion. Works fine in our environment.
Regards,
Peter
You my friend, are a genius. This worked for me importing a taskbar (not start menu) layout with xml file using Import-StartLayout command during Autopilot enrollment, then a new user logs in and its there (win 11). The 64 bit command was required. I used
if (“$env:PROCESSOR_ARCHITEW6432” -ne “ARM64”)
{
if (Test-Path “$($env:WINDIR)\SysNative\WindowsPowerShell\v1.0\powershell.exe”)
{
& “$($env:WINDIR)\SysNative\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy bypass -NoProfile -File “$PSCommandPath”
Exit $lastexitcode
}
}
So this can only be applied before the user logs in the first time? What about changing it after users have been using the PC for a while?
Yes, that`s correct.
You can upload a start menu layout in a Device restrictions policy. The downside is the end-user isn`t able to change his start menu.
Yes I have done that but it is hit and miss, does not apply the way it should for all users. Some tiles have no pictures for some users. Also when you change or add stuff it takes ages to apply and again never applies for some.
I ran into an error when using the script, something wrong with the registry key. I found a typo in the snippet in this line:
$Key = “HKEY_LOCAL_MACHINE\Software$StoreResults”
I changed it to
$Key = “HKEY_LOCAL_MACHINE\Software\$StoreResults”
Then the script would run properly.
Thanks, but I don`t see the typo and I didn`t change anything yet 🙂
there is “\” between software and dollar sign. but i tried but seems the first logged in user will not receive this start menu
Wow, that`s pretty strange!
In the WordPress editor it shows fine, even when I open the actual page (when I`m signed in to WordPress). As soon as I open another page or sign out form WordPress, the the back slash is missing.
Hi, im completely new to intune and working my way throguh some basic deployments, I have a previous startmenu which i took from our GPO’s here and deployed it intune/device restrictions policy, which is fine for us as we are a school and dont want users changing altering things. Quesiton i have is how do i remove all the default admin folders in the start menu. Windows Administrative tools, Windows ease of access, Windows powershell, windows system.? It maybe something im overlooking but i cant seem to find a way of removing these items. Thnaks and great Site full of useful information.
I have the same issue. Did you find a solution ?
Hi Clive/Scott,
It is in preview at the moment, but you can now find out the Intune equivalent settings of the GPO you use to help with moving away from Group Policy.
Within the Intune/MEM admin center, do to Devices > Policy Section. You will see ‘Group Policy Analytics’.
To use, you export one of you GPO’s and save as an XML file. You then import this into the Analytics page. It will tell you what can be ported over and where that Intune setting is.
Hope that helps
Getting this error when I run the script on my PC:
MethodInvocationException: C:\temp\startmenu\startmenu.ps1:22
Line |
22 | [microsoft.win32.registry]::SetValue($Key, “Success”, $NOW)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Exception calling “SetValue” with “3” argument(s): “The parameter is incorrect.”
Works fine here. Could it be related to the missing backslash that was mentioned in hat-cats post above?
Must be the back slash, which is for some reason missing (but it isn`t in the Editor.
I now removed the variable and set the regkey to a static one. Give that a try and let me know if it works now.
Regards,
Peter
Just letting you know when trying the script in its current form, the double quotation at the end of this string breaks the script – $Key = “HKEY_LOCAL_MACHINE\Software\InTheCloud247\StartMenu\v1.0″”
Should be: $Key = “HKEY_LOCAL_MACHINE\Software\InTheCloud247\StartMenu\v1.0”
Thanks Mitchell, I changed it.
As i didn’t mention it before, thank you for this helpful guide and script!
Hi Peter,
Thanks a lot for this. I prefer this method as well. The only flaw I cannot seem to find the solution for is that if a user unpins one of the icons on the taskbar, after a reboot it reappears..any thoughts?
Regards, Guus
Hi Guus,
I’ve no idea. Haven’t seen any article or something that describes such a solution.
It seems to be getting stuck on the detection rule as it stops at Apps 3 of 6 in Device Setup. If I click Continue Anyway however it proceeds to install correctly.
This is all about the StartLayout, not the startmenu btw.
The startmenu is not changed in any way by using the methods in this article.
Partial Start layout could be good fit to balance Org specific start layout with user enabled customisation.
Please do not include XML Prologs like in the Start layout XML file when applying exported layout from Intune, it will not be applied.
https://docs.microsoft.com/en-us/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management
Thought I’d post this in case others run into this. I followed the steps but still it does not work. The difference is that I edit the taskbar pinned apps as well and was sure I had it correct. I ended up looking for other ways and I ended up using a device restriction policy to get it working from https://nathanblasac.com/deploy-a-custom-start-layout-configuration-policy-via-intune-windows-10-1809-a4ed72875c08. While users cannot edit the start menu from the apps you specify in the xml, it does give flexibility to still allow them to pin/remove their choice apps from the Start and task bar.
I just copied the script from above, saved it and the XML to a folder I created C:\Test. When I run the script I get this error: Import-StartLayout : Cannot find path ‘C:\Users\Delete\Desktop\Test\LayoutModification.xml’ because it does not exist.
What am I missing that is causing the error?
Thanks
The location of the XML isn’t correct. Variable $PSScriptRoot is used, which is the location where the script is run from.
You can change that to your needs, to a hard-coded path, or another variable.
Hi Peter,
Thanks for the solid assistance in building out our Intune environments. What are your solutions for Edge Assets in these pinlists (if you have any).
Appreciate your help,
Darren